Support ecdsa keys, fix DNS entry output

[csarn]

openssl rsa created invalid TLSA hashes when applied to ecdsa cert.pem. Using openssl pkey works. Also, the output of danectl status and danectl tlsa-{current,next} was fixed to expand \t to TAB characters.

[raforg]

Hi Christoph,

Many thanks for that. That's great. I assume you're using FreeBSD whose echo doesn't support \t (I hadn't noticed). echo -e works with all systems I can play with, but printf is supposed to be even more portable. So I've merged your pull request and replaced the echo -e's with printfs. Can you pull the latest commit and see if it still works? Thanks.

cheers, raf

[csarn]

I'm on linux, not FreeBSD. But I just tested your modifications and printf works fine, both when using /bin/bash as sh and when using busybox sh.

I have some more local changes in my fork to output the "danectl status" as nslookup "update add... / update del ..." commands, is that something of interest to you? Or is that a niche use case that only I care about :)

[raforg]

Ah, I never checked with busybox either. Maybe it's similar to FreeBSD's /bin/sh. Thanks for checking.

As for the nsupdate commands (I assume you meant that), I am interested but maybe not the way you've done it. There are many DNS servers and services, all with their own ways of doing things, so I don't want any of them to be actually part of danectl itself. Instead, I imagined that separate programs could be written to take the output of "danectl check" (which is included in "danectl status" output), and do whatever is needed with it. I'm planning to write such a program to take that output and modify BIND9 zone files (because that's what I use). Another such program to produce and/or execute the corresponding nsupdate commands would be awesome. I can't really test the nsupdate version, but if you can share what you've done, I could convert it into a separate (probably perl) script.

[csarn]

Yes I meant nsupdate... An output wrapper would make more sense than hardcoding one way of doing DNS updates. Maybe I can provide that for nsupdate. What I did so far was just add "update add " and "update del " to the output line beginnings (and remove the semicolon for to-be-removed records), so nothing fancy.

[raforg]

Does this perl script work for you?

I'm a bit worried that the nsupdate documentation seems to require TTL for "update add" but that's not present in danectl output. It could be fixed if necessary. It's left out of the original zonefile format output because the TTL is usually specified globally for the domain and individual records just use the default. Hopefully the same thing applies with nsupdate.

danectl-nsupdate.txt

[csarn]

nsupdate requires TTL somewhere, it does not have to appear on all "update " lines. An nsupdate session might look like:

zone example.com.
ttl 3600
update add example.com SSHFP 4 2 <hash>
send

I'll try out your script when I get around to it.

[raforg]

Thanks. The "zone" directive shouldn't(?) be needed. nsupdate documentation says that it tries to work that out by itself. I would have thought that the "send" directive wouldn't be needed at the end of the input, just between batches. But I could be wrong.

If the first version doesn't work as is, try this second one (danectl-nsupdate2). It includes a "ttl" directive. If that doesn't work, try the third one (danectl-nsupdate3). It also outputs "send" at the end.